[erlang-questions] [erlang-patches] SSL distribution fixes

Ingela Anderton Andin <>
Mon Jan 16 14:56:19 CET 2012


Hi Paul!

Paul Guyot wrote:
> Le 16 janv. 2012 à 10:15, Ingela Andin a écrit :
>
>   
>> There is one blocking problem that I know of that can happen when
>>     
>
>   
>> a none ssl node tries to contact an ssl node. If the nodename is
>> fairly short the first message can be seen as the begining of a
>> correct "ssl/tls"-packet and then it will wait for more data that
>> never comes and the other end is waiting for the response for its
>> first message. This can be fairly easily fixed by adding a check
>> for the value of the first byte for handshake messages.  We will
>> be adding this for the next release. This has however not
>> interfered with the legitimate nodes in our tests.
>>     
>
> This probably is what happens. The other bug I saw is that the client can timeout (using dist_utils:timer) while the proxy doesn't handle this.
>
> What is the rationale behind the use of the proxy? Isn't it related to the old implementation of SSL?
>
>   
We want to avoid having a driver.

> Eventually, we are running a cluster with currently a dozen nodes using the new implementation and the following fixes:
> - the proxy is made more robust to a death of the caller (the crash I reported, typically after a timeout);
> - inet_tls_dist:setup/5 now links the process just like what inet_tcp_dist:setup/5 does (I also set the priority to maximum like inet_tcp_dist does);
> - #hs_data.f_address function was updated to handle the case where the node disappeared, just like inet_tcp_dist does as well. This was done by exporting get_tcp_address from ssl_tls_dist_proxy and changing its return type.
>
> Besides, the proxy is now running on the loopback interface only (the sockets listen on {127,0,0,1}) as it is not meant to be connected from another node, from what I understand...
>
>   
I think the changes are  sound.

> The patch can be found here:
> https://github.com/pguyot/otp/compare/ssl_dist-fixes
> git fetch git://github.com/pguyot/otp.git ssl_dist-fixes
>
> Paul
>   
Henrik has/will  include it in pu.

Regards Ingela Erlang/OTP team - Ericsson AB



More information about the erlang-questions mailing list